TLS returns 'no peer certificate available' after cert update if zen not restarted

[ADumaine]

Background: The secure nodes install guides did not include a step to restart zen after certificates are automatically refreshed. The server update on March 4-5 with an update to check certs more thoroughly revealed many nodes with expired certs that were not being reported by the tracker app.

After the SSL cert is refreshed zen appears to make connections and still report that it is TLS_certified true. If a connection via openssl on the command line is made to the node, the result is the following. Once zend is restarted the openssl connection reports all the certs.

CONNECTED(00000003)
4294956672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1520829934
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

The solution has been to add the ability for a secure node to restart after a acme.sh certificate renewal.

Is it possible for zend to refresh the certs and respond properly to a TLS connection without a restart?